Hi everyone,
I’m creating a workflow in InsightConnect that I want to be triggered only manually by analysts using the “Take Action” button inside InsightIDR Investigations.
I don’t want the workflow to run automatically from any detection rule. It should only be available when the analyst chooses to run it manually.
My questions are:
-
What is the correct or recommended trigger setup for this? Should I just create the workflow with no trigger so it only appears in “Take Action”?
-
Are there any best practices for this kind of manual workflow? For example, input fields, user access control, or anything else to consider?
I’ve seen that the “InsightIDR Detection Rule” trigger runs automatically, and the “Legacy Detection Rule” doesn’t work with modern rules and investigations.
I just want to confirm that having no trigger is the right approach to make the workflow available only through Take Action.
Thanks in advance for the help.
This will be tricky due to the different schema types per detection rule.
You will want to test it out with multiple rules to see how best to extract the asset and the user, as they won’t be included in the initial payload. They are generally going to be contained in the Get Evidence Details step, and that schema output is different for each detection category.
You can make a path based on detection category so that you are working with a constant schema type, or you can come up with a clever JQ statement that will always find the asset and user no matter the schema type.
We have the extract it plugin if you want to parse IOC’s out.
Thanks! That makes sense.
Just to add some context — I’m using the “Block Domain Account with Active Directory from InsightIDR” template, and I’ve set it up so the analyst can choose the username manually using an Artifact input (sometimes more than one user).
I’m not extracting the user automatically yet, but I’d like to start doing that with Get Evidence Details when possible — mainly to make the process quicker for the analyst.
What’s the simplest and most reliable way to pull the username from different detection types using jq?
Thanks again!
I am not sure the best method for a JQ statement. If it is your email domain you can just do a match for that key that contains the domain, but if it is a username not an email you will have to discover what that key is called in each schema type that contains a user if a user is contained in the detection.
Thanks for the reply!
To clarify — I’m not looking to auto-extract the user right now. The analyst will choose the username manually using an Artifact input.
My main concern is actually with the trigger. I just want to make sure the workflow does not run automatically from any detection rule. It should only be available manually through Take Action in an investigation.
Is the correct setup to simply use no trigger at all when building the workflow? Or is there a specific trigger type that makes it available in Take Action but doesn’t run automatically?
Appreciate the help!
This is the trigger you need. As long as you don’t tie it to a specific rule in IDR you should be good to go.
Thanks!
Quick follow-up: if I use a Human Decision step in the workflow (for example, to confirm containment), where does the prompt show up for the analyst?
- In a manual workflow triggered via Take Action inside an InsightIDR investigation, will the decision appear directly in the investigation view?
- And in an automatic workflow triggered by the “InsightIDR Detection Rule”, will the analyst still get the decision prompt in the investigation, or would they need to go to InsightConnect > Jobs to respond?
Just trying to understand where that decision step appears in both manual and automated flows.
Thanks again!
Apologies for the delayed response.
If you use a human decision in a workflow with the take action button you will have a banner that appears across the top. If you click “review decision” it takes you to the automation tab within InsightIDR where you can see all your jobs that have a decision waiting. Choose your path, and the banner will disappear after 15 to 30 seconds.
If you include an artifact before you human decision point you will have the option of including that artifact in your email notification. It is just a nice way to display summary information about the workflow and the alert without needing to navigate back to IDR to investigate.
Hi ,
Thx for the response.
I’m trying to extract the dn value from the output of a “Search User AD” step, which is based on an LDAP query. The query returns the following structure:
[
{
"attributes": "...",
"dn": "CN=User Connect,CN=Users,DC=evil,DC=corp"
}
]
I’m trying to use the dn value to perform a user block later in the workflow, but I’m not able to access it correctly. I’ve already tried multiple formats, including:
{{["Search User AD"].[results].dn}}
{{["Search User AD"].["results"].["dn"]}}
{{["Search User AD"].[results].[dn]}}
{{["Search User AD"].[$results].[dn]}}
{{["Search User AD"].[results].["dn"]}}
None of these work — the field either comes back empty or causes an error.
Assuming results is an array, I believe the correct reference should be:
{{["Search User AD"]["results"][0]["dn"]}}
Could you confirm if this is the right way to access the dn value in this context? Or is there a better way to extract the first result’s dn from the LDAP query output?
Appreciate your help!
I am glad you were able to resolve it. Apologies for not getting back to you sooner.
Was it something like {{[“Search User AD”].[“results”].[0].[attributes].[“dn”]}}?
yes, it was {{[“Search User AD”].[results].[0].[dn]}}.
It was just .[0]. that I was missing.
1 Like
